0

Is decrypting secrets with ccrypt and piping the result via stdin to openvpn secure?

I've written the following alias to start an openvpn client more easily than before:

sudo bash -c 'cd OPVN_CONFIGS_DIR && ccrypt --cat _auth.conf.cpt | openvpn --config waw-001.ovpn --auth-user-pass /dev/stdin'

NB: OPVN_CONFIGS_DIR is located in a synced folder (lets say Dropbox for simplicity)

NB: bash -c rather than a simple expansion because this is sometimes run in fish shell

The options I had before:

  • Use auth-user-pass to store my username + password in clear text. Looks to be the default option with openvpn but seems like a bad idea in general and even more so in my case since the secrets would be stored in a synced folder.
  • Enter my openvpn username and password every time which is a pain since the password is a very long random string. I cannot set a password myself, only reset it to another, just as long, random string. (and I'm not comfortable using a CLI password manager that stores passwords in the clipboard like passwordstore.org does)

My issue is that with the previous command openvpn complains about the following:

WARNING: file '/dev/stdin' is group or others accessible

My questions:

  • What are the implications of this warning?
  • what is the 'group' mentioned in the warning? The sudo group?
  • Is there a better way to manage secrets on the client side with openvpn?

Thank you

rmercier
  • 1
  • 2
  • The warning makes more sense for regular files—`/dev/stdin` isn't and doesn't link to a regular file. The message is usually to warn users of configurations where the auth file is readable by other users. – Torin May 19 '20 at 20:38
  • As for how secure, how are you deriving the key for decrypting the file? Storing the username and password locally isn't necessarily insecure – Torin May 19 '20 at 20:42
  • @Torin I don't know the specifics but in my case I would use `ccrypt --encrypt TXT.ext` with the content 'Username\nPassword\n' then type a password twice in an interactive prompt. This would generate a TXT.ext.cpt file and delete the original TXT.ext file. Then, when I want to output the unencrypted content, I would use `ccrypt --cat TXT.ext.cpt` and input my password in the interactive prompt. I store the ccrypt password in my pw manager only and I'm guessing ccrypt doesn't stored the password for this file anywhere else on its own? Not sure if that answers your question :/ – rmercier May 20 '20 at 11:56
  • @Torin "Storing the username and password locally isn't necessarily insecure" => but storing them in clear text in a shared/synced directory would be insecure, correct? – rmercier May 20 '20 at 11:58

0 Answers0